More and more, individuals are utilizing wireless internet by means of their mobile phones, PDAs, laptops, or other portable devices. With mobile phones, users are able to use the wireless 3G or 4G connection within range of their network. However, when it comes to connecting laptop computers or other electronic devices, users must connect to WiFi where available. When not at home or another specific location with an internet connection, users often look for internet cafes or other places that allow use of free wireless internet. However, the issue for users becomes not knowing the authenticity or security of the available WiFi connection.
Thus, with the explosion of available open complementary hotspots, businesses and individuals have begun to offload their internet traffic from pay mobile broadband companies. They use these open hotspots in addition to their mobile data plans in order to reduce costs and improve end-user experience. Security has become a concern with an open complementary hotspot, as the prevalence of threats arises to maliciously capture users' data and credential information.
Two of the largest threats to data can include a “Twin Attack,” where a second access point (“AP”) broadcasts with the same service set identifier (“SSID”) as the one the user is looking to connect to, or a “Man in the Middle attack,” where a computer can act like the hosting AP and broadcast the SSID and transport the traffic to the desired endpoint. This allows an attacker to pose as the desired AP and inspect the packets being passed to the desired endpoint.
Due to the ease at which an attacker sharing an unsecure network broadcast can steal data and other personal information being passed thereon, there is a need to identify secure internet hotspots to ensure protection of information. Thus, the present invention includes methods of securely identifying these hotspots before sensitive information is passed. The goal of the present invention is to help ensure the safety of a user's credentials, while also providing assurances to the user that the hotspot to which they are connecting is in fact the one they think it is.
The present invention discloses a roaming implementation for internet service providers, which is adapted to verify to an entity that is connected to a network that it is indeed the desired WiFi Access Point to which the user desired to connect. The present invention therefore presents a system and method that allows users to roam between wireless internet service providers, in a fashion similar to that used to allow cellphone users to roam between carriers, and aims to solve the problem of vulnerable passage of secure information by taking an extra step of verifying the AP before any credentials are passed and continue to verify this AP every time after a connection occurs. These extra measures aim to ensure that the user's credentials and device information are not passed to a malicious entity or anyone not intended or desired to receive such information and that at any point when a reconnection occurs, the validity of the network is verified.
The present invention discloses a system and method to preferably expand upon the methods of how a “Client” would establish a connection to an AP “Hotspot” and perform authentication. The present invention is not intended to limit how a client would identify or verify the true identity of the AP, but presents an improvement and alternative method to such verification of the hotspot's identity.
In a preferred embodiment of the present invention, a client or user can connect to an AP from a device having a processor, a memory, and a radio transceiver, and perform an initial probe request. Upon completion of the probe request, a URL will preferably be returned that the client can use to probe for further information about the authenticating source. Upon retrieval of this authenticating information, the client can verify the data retrieved with its internal source and then either allow the authentication to continue or drop the connection with the AP. This protects the user from passing their credentials to an unknown source and also protects them from passing traffic on a compromised network.